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[^^ . Abstract 

In this paper we propose a use-case driven iterative design methodology for normative frameworks, 
also called virtual institutions, which are used to govern open systems. Our computational model rep- 
resents the normative framework as a logic program under answer set semantics (ASP). By means 
of an inductive logic programming (ILP) approach, implemented using ASP, it is possible to syn- 
Jv> , thesise new rules and revise existing ones. The learning mechanism is guided by the designer who 

S_j ■ describes the desired properties of the framework through use cases, comprising (i) event traces that 

C^ ' capture possible scenarios, and (ii) a state that describes the desired outcome. The learning process 

then proposes additional rules, or changes to current rules, to satisfy the constraints expressed in the 
use cases. Thus, the contribution of this paper is a process for the elaboration and revision of a nor- 
mative framework by means of a semi-automatic and iterative process driven from specifications of 
(un)desirable behaviour. The process integrates a novel and general methodology for theory revision 
based on ASP. 

KEYWORDS: normative frameworks, inductive logic programming, theory revision 



1 Introduction 

Norms and regulations play an important role in the governance of human society. Social 
rules such as laws, conventions and contracts prescribe and regulate our behaviour. By pro- 
viding the means to describe and reason about norms in a computational context, normative 
frameworks (also called institutions or virtual organisations) may be applied to software 
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systems. Normative frameworks allow for automated reasoning about the consequences of 
socially acceptable and unacceptable behaviour by monitoring the permissions, empow- 
erment and obligations of the participants and generating violations when norms are not 
followed. 

Just as legislators, and societies, find inconsistencies in their rules (or conventions), so 
too may designers of normative frameworks. The details of the specification makes it rela- 
tively easy to miss crucial operations needed to help or inhibit intended behaviour. To make 
an analogy with software engineering, this characterises the gap between requirements and 
implementation and what we describe here can be seen as an automated mechanism to 
support the validation of normative frameworks, coupled with regression testing. 

The contribution of the work is twofold. Firstly, we show how inductive logic program- 
ming (ILP) can be used to fill gaps in the rules of an existing normative framework. The 
designer normally develops a system with a certain behaviour in mind. This intended be- 
haviour can be captured in use cases which comprise two components: a description of a 
scenario and the expected outcome when executing the scenario. Use cases are added to 
the program to validate the existence of an answer set. Failure to solve the program indi- 
cates that the specification does not yield the intended behaviour. In this case, the program 
and the failing use case(s) are given to an inductive learning tool, which will then return 
suggestions for improving the normative specification such that the use cases are satisfied. 
Secondly, we present a novel integrated methodology for theory revision that can be used 
to revise a logic program under the answer set semantics (ASP) and supports the devel- 
opment process by associating answer sets (that can be used for debugging purposes) to 
proposed revisions. Due to the non-monotonic nature of ASP, the designer can provide the 
essential parts of the use case creating a template rather that a fully specified description. 
The revision mechanism is general and can be applied to other domains. We demonstrate 
the methodology through a case study showing the iterative revision process. 

The paper is organised as follows. Section |2]presents some background material on the 
normative framework, while Section [5] introduces the ILP setting used in our proposed 
approach. Section |4] illustrates the methodology and how the revision task can be formu- 
lated into an ILP problem. We illustrate the flexibility and expressiveness of our approach 
through specifications of a reciprocal file sharing normative system. Section|5]discusses the 
details of the revision mechanism and the learning system. Section prelates our approach 
to existing work. We conclude with a summary and remarks on future work. 



2 Normative Frameworks 

The essential idea of normative frameworks is a (consistent) collection of rules whose 
purpose is to describe a principle of right action binding upon the members of a group and 
serving to guide, control, or regulate proper and acceptable behaviour [Merriam-Webster 
dictionary]. These rules may be stated in terms of events, specifically the events that matter 
for the functioning of the normative framework. 
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M = {£,T,C,g,X), where 

pe J"<;=>ifluent(p). (1) 

1. T=WUVUOUV ee£-^event(e). (2) 

2. g : A' X ^ ^ 2 I"--™ e g fsj; <^evtype(e, obs). (3) 

3. C : X x£ ^2^ x2^ where g g £-^^j <^evtype(e, act). (4) 
C{X,e) = eg £-^.^j <;=>evtype(e,viol). (5) 
(CT(0, e), CJ-C,/., e)) where ^t(^^ g) = p ^Vp 6 P ■ initiated(p, T) 

(i) C^(</), e) initiates a fluent ^ occMrred(e, /), £;X((^, T). (6) 

(ii) CJ-((/), e) terminates a C'^{(t>, e) = P <»Vp £ P ■ terminated(p, T) 

fluent ^^occurred{e,I),EX{<j),T). (7) 

4 c_>r ,j<r g(0,e) = B<i=>g G -B, 

,j,i,h r — f- ,|ir . , occurredfg, T)-f-occurred(e,T), 

5 J holdsat(pow(e),l),_BX(</.,T). (8) 
e! State Formula: A- = 2-^LJ^^ p g X <»holdsat(p, iOO). (9) 

(a) (b) 

Fig. 1 . |(a)| Formal specification of the normative framework and |(b)| translation of norma- 
tive framework specific rules into AnsProlog 



2.1 Formal Model 

The formalization of the above may be defined as conditional operations on a set of terms 
that represent the normative state. To provide the context for this paper, we give an outline 
of a formal event-based model for the specification of normative frameworks that captures 
all the essential properties, namely empowerment, permission, obligation and violation. 
We adopt the formalisation from dCUffe et al. 20 06V summarized in Figure [T(a)l because 
of its straightforward mapping to answer set programming. 

The essential elements of the normative framework are events {8), which bring about 
changes in state, and fluents {J^), which characterise the state at a given instant. The func- 
tion of the framework is to define the interplay between these concepts over time, in order 
to capture the evolution of a particular institution through the interaction of its participants. 
We distinguish two kinds of events: normative events (Snorm), that are the events defined 
by the framework, and exogenous events (Sex), some of whose occurrence may trigger 



normative events in a direct reflection of "counts-as" ( Jones and Sergot 1996j ), and others 
that are of no relevance to this particular framework. Normative events are further parti- 
tioned into normative actions (Sact) that denote changes in normative state and violation 
events (Evioi), that signal the occurrence of violations. Violations may arise either from 
explicit generation, (i.e. from the occurrence of a non-permitted event), or from the non- 
fulfilment of an obligation. We also distinguish two kinds of fluents: normative fluents that 
denote normative properties of the state such as permissions (V), powers (W) and obli- 
gations (O), and domain fluents (T)) that correspond to properties specific to a particular 
normative framework. A normative state is represented by the fluents that hold true in this 
state. Fluents that are not present are considered to be false. Conditions on a state (X) are 
expressed by a set of fluents that should be true or false. When the creation event occurs, 
the normative state is initialised with the fluents specified in I. 

Changes in a normative state are achieved through the definition of two relations: (i) the 
generation relation {Q), which implements counts-as by specifying how the occurrence 
of one (exogenous or normative) event generates another (normative) event, subject to the 
empowerment of the actor and the conditions on the state, and (ii) the consequence relation 
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(C), which specifies the initiation and termination of fluents, subject to the performance of 
some action in a state matching some condition. 

The semantics of a normative framework is defined over a sequence, cafled a trace, of 
exogenous events. Starting from the initial state, each exogenous event is responsible for a 
state change, through initiation and termination of fluents. This is achieved by a three-step 
process: (i) the transitive closure of G with respect to a given exogenous event determines 
all the generated (normative) events, (ii) to this all violations of non-permitted events and 
non-fulfilled obligations are added, giving the set of all events whose consequences deter- 
mine the new state, (iii) the application of C to this set of events identifies all fluents that 
are initiated and terminated with respect to the current state, so determining the next state. 
For each trace, we can therefore compute a sequence of states that constitutes the model of 
the normative framework for that trace. This process is realised as a computational model 
through answer set programming (see Section l2!2l l and it is this representation that is used 
in the learning process described in Section ID A detailed example of the formal model of 
an institution can be found in JCUffe et al. 2006l l. 

2.2 Computational Model 

The formal model described above can be translated into an equivalent computational 
model using answer set programming (ASP) JGelfond and Lifschitz 19911) with AnsProlog 
as the implementation language. AnsProlog is a knowledge representation language that 
allows the programmer to describe a problem and the requirements on the solutions in an 
intuitive way, rather than the algorithm to find the solutions to the problem. For our map- 



ping, we followed the naming convention used in the event calculus ( Kowalski and Sergot 1 986 1 
and action languages dGelfond and Lifschitz 19981 ). 

The basic components of the language are atoms, elements that can be assigned a 
truth value. An atom can be negated using negation as failure. Literals are atoms a 
or negated atoms not a. We say that not a is true if we cannot find evidence support- 
ing the truth of a. Atoms and literals are used to create rules of the general form: 
a •<— &i, ..., hrm not ci, ..., not c„, where a, hi and Cj are atoms. Intuitively, this means 
if all atoms hi are known/true and no atom Cj is known/true, then a must be known/true. 
We refer to a as the head and 6i, ..., &„, not ci, ..., not c„ as the body of the rule. Rules 
with empty body are called /acfi. Rules with empty head are referred to as constraints, in- 
dicating that no solution should be able to satisfy the body. A (normal) program (or theory) 
is a conjunction of rules and is also denoted by a set of rules. The semantics of AnsProlog 
is defined in terms of answer sets, i.e. assignments of true and false to all atoms in the pro- 
gram that satisfy the rules in a minimal and consistent fashion. A program may have zero 
or more answer sets, each corresponding to a solution. 

The mapping of a normative framework consists of three parts: a base component which 
is independent of the framework being modelled, the time component and the frame- 
work specific component. The independent component deals with inertia of the fluents, 
the generation of violation events of non-permitted actions and of unfulfilled obligations. 
The time component defines the predicates for time and is responsible for generating 
a single observed event at every time instance. The mapping uses the following atoms: 
ifluent(p) to identify fluents, evtype(e,t) to describe the type of an event, event(e) 
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to denote the events, instcLnt(i) for time instances, f inal(i) for the last time instance, 
next(il, 12) to estabhsh time ordering, occurred(e, i) to indicate that the (normative) 
event happened at time i, observed(e, i) that the (exogenous) event was observed at time 
i, holdsat(p, i) to state that the normative fluent p holds atz, and finally iiiitiated(p, i) 
and terminated(p, i) for fluents that are initiated and terminated at i. Note that exoge- 
nous events are always empowered, so that observed events are always occurred events, 
but that normative events are not, so their occurrence is conditional on their empowerment. 
Figure [T(b)| provides the framework specific translation rules, including the definition of 
all the fluents and events as facts. We translate expressions into AnsProlog rule bodies as 
conjunctions of literals using negation as failure for negated expressions. 

The translation of the formal model is augmented with a trace program, specifying the 
length of traces that the designer is interested in and rules to ensure that, all but the fi- 
nal time instance, is associated with exactly one exogenous event. Specific occurrences of 
events can be specified as facts (e.g. observed(event, instance)). We refer to a com- 
plete trace when all exogenous events for a giving time interval are specified. If a trace is 
incomplete when the model needs to determine the missing exogenous events. While not 
discussed in this paper, both the normative framework and the learning tool can deal with 
both types of traces. When the model is supplemented with the AnsProlog specification 
of a cornplete trace, we obtain a single answer set corresponding to the model matching 
the trac4j. In this case the complexity of computing the answer set is linear with respect 
to the number of time instance being modelled. This result can easily be derived from the 
structure of the program. Of course, in the absence of a complete trace, the complexity is 
NP-complete as the traces composed of all possible combinations of missing exogenous 
events are computed. See JCUffe 2007l l for further details and proofs. 



3 Learning 



Inductive Logic Programming (ILP) (Muggleton 19951 is a machine learning technique 



concerned with the induction of logic theories that generalise (positive and negative) ex- 
amples with respect to a prior background knowledge. For example, from the observa- 
tions (properties in this paper) Pfiy = {f ly{a), fly{b), not fly{c)} and a background 
knowledge containing the two facts bird{a) and bird{b), we can generalise the concept 
fly{X) ■(— bird{X). In non-trivial problems it is crucial to define the space of possible 
solutions accurately. Target theories are within a space defined by a language bias, that can 
be expressed using the notion of mode declaration ( [Muggleton 1995| l. 

Definition 1 

A mode declaration is either a head declaration, written modeh{s), or a body declaration, 
written modeb{s), where s is a schema. A schema is a ground literal containing special 
terms called placemarkers. A placemarker is either '+type', '—type' or '^type' where 
type denotes the type of the placemarker and the three symbols '+', ' — ' and '#' indicate 
that the placemarker is an input, an output and a constant respectively. 



^ The structure of the program (the stratified base part and observed events as facts), guarantees that the program 
has exactly one answer set. See tChffe 2007; for further details and proofs. 
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In the previous example a possible language bias would be expressed by three 
mode declarations in Mfiyi modeh{fly{+ animal)), modeb(bird{+ animal)) and 
modeb(penguin{+animal)). 

A rule h -(r- 61, ..., 6„ is compatible with a set M of mode declarations iff (a) h is the 
schema of a head declaration in M and bi are the schemas of body declarations in M where 
every input and output placemarkers are replaced by variables, and constant placemarkers 
are replaced by constants; (b) every input variable in any atom bi is either an input variable 
in h or an output variable in some bj,j < i; and (c) all variables and constants are of the 
corresponding type (enforced by implicit conditions in the body of the rules). From a user 
perspective, mode declarations establish how rules in the final hypotheses are structured, 
defining literals that can be used in the head and in the body of a well-formed hypothesis. 
s{M) is the set of all the rules compatible with M. 

Definition 2 

An ILP task is a tuple {P, B, M) where P is a set of conjunctions of literals, called prop- 
erties, -B is a normal program, called background theory, and M is a set of mode decla- 
rations. A theory H, called hypothesis, is an inductive solution for the task {P, B, M), if 
(i) H C s{M), and (ii) P is true in all the answer sets of B U H. 

Our approach for incremental development of a normative system supports the synthesis 
of new rules and revision of existing one from given use-cases. We are therefore interested 



in the task of Theory Revision (TR). As discussed in ( Corapi et al. 2009) , non-monotonic 
inductive logic programming can be used to revise an existing theory. The key notion is 
that of minimal revision. In general, a TR system is biased towards the computation of 
theories that are similar to a given revisable theory. Our revision algorithm uses a measure 



of minimality similar to that proposed in ( Wogulis and Pazzani 1993), and defined in terms 



of number of revision operations required to transform one theory into another. 

Definition 3 

Let T' and T be normal logic programs. A revision transformation r is such that r{T) — 
T', and T' is obtained from T by deleting a rule, adding a fact, adding a condition to a 
rule in T or deleting a condition from a rule in T. T' is a revision of T with distance 

c{T, T) = n iff T' = r"{T) and there is no m < n such that T' = r'^iT). 

For example, given the theory Tfiy = {fly{X) ^ bird{X)}, T'^i^ = {fly{X) ^ 
bird{X),not penguin{X)} is a revision of T with distance 1. Note that, although we 
refer to Definition[3] it is also possible to weight revisions differently or introduce different 
transformations. 

Definition 4 

A TR task is a tuple (P, B, T, M) where P is a set of conjunctions of literals, called /7ro/7- 
erties, P is a normal program, called background theory, T C s{M) is a normal program, 
called revisable theory, and M is a set of mode declarations. The theory T' , called revised 
theory, is a TR solution for the task (P, B, T, M) with distance c{T, T), iff (i) T' C s{M), 
(ii) P is true in all the answer sets of PUT', (iii) if a theory S exists that satisfies conditions 
(i) and (ii) then c{T, S) > c{T, T'), (i.e. minimal revision). 
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Fig. 2. Iterative design driven by use cases. 

For example, let Bfiy — {animal{X). bird{X). penguin{c).}, Tfiy, Pjiy and Mjiy 
as in the previous examples. Ti, is a TR solution for the task {Pfiy ,Bfiy,Tfiy, Mfiy ) with 
distance 1. The main difference with the ILP task given in Definition |2] is the availability 
of an initial revisable theory and the consequent bias, as discussed in more detail in the 
following sections. 

4 Revising Normative Rules 

4.1 Methodology 

Use cases represent instances of executions that are known to the designer and that drive the 
elaboration of a normative system. If the current formalisation of a normative system does 
not match the intended behaviour in the use cases then the formalisation is not complete or 
is incorrect, and an extension or revision is required. 

Each use case u G [/ is a tuple (T, O) where T, a trace, specifies a set of exogenous 
events (observed(e, t)), and O is a set of holdsat and occurred literals that represent 
the expected output of the use case. Given a set U of use cases, Tjj and Ojj denote, re- 
spectively, the set of all the traces and expected outputs in all the use cases in U. The time 
points of the different use cases relate to different instances of executions of the normative 
system to avoid the effect of events in one use case affecting the fluents of another use 
case. The use cases can, but do not have to, be complete traces (i.e. an event for each time 
instance) and expected output can contain positive as well as negative literals. 

For a given translation of a normative framework N, the designer must specify what 
part of the theory is subject to revision. The theory is split into two parts: a "revisable" 
part, Nt, and a "fixed" part, Nb- By default the former includes rules of the form ^, (|7]i 
and ^, given in Figure |l(b)[ and the latter includes the rest of the representation of the 
normative system and the set Tjj of the traces in U. 

Given a set U of use cases, a TR task for a normative framework f\f is de- 
fined as the tuple {Ou,Nb U Tu,Nt,M), where M includes by default a body 
declaration for any static relation declared in Nb, and the following mode dec- 
larations (where the schema is opportunely formed by substituting arguments 
with input placemarkers): ■modeh{occurred{e* ,+instant)), for each e G £norm\ 
modeh{initiated{f*, -\-instant)) and modeh{terminated{f*, +instant)), 

for each f ^ F; modeb{holdsat{f* ,+instant)), for each f ^ F; 
niodeb{occurred{e* , +instant)), for each e G £". 

The choice of the set of mode declaration M is crucial and is ultimately the responsibiUty 
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of the designer. Many mode declarations ensure higher coverage of the specification but 
increase the computation time. Conversely, fewer mode declarations improve performance 
but may result in partial solutions. The choice may be driven, for example, by previous 
design cycles, or interest in more problematic parts of the specification. 

As shown in Figure |2] the design of a normative system is an iterative process. The 
representation TV in AnsProlog of a system described by the designer using a normative 
language is tested against a set of use cases also provided by the designer. This analysis 
step is performed by running an ASP solver over N, extended with the observed events 
included in the use cases, and a constraint indicating that no answer set that does not 
satisfy O is acceptable. Conceptually, if the solver is not able to find an answer set (i.e. 
returns unsatisfiable), then some of the given use cases are not satisfied in the answer sets 
of N and a revision step is performed. Possible revisions are provided to the designer who 
ultimately chooses the most appropriate one. 

4.2 Case Study 

We illustrate the methodology with a small but rich enough case study that demonstrates 
the key properties and benefits of our proposed approach. The following is a description of 
a reciprocal file sharing normative framework. 

The active parties — agents — of the scenario find themselves initially in the situation of having 
ownership of several (digital) objects — the blocks — that form part of some larger composite (digital) 
entity — a file. An agent is required to share a copy of a block they hold before they can download a 
copy of block they are missing. Initially each agent holds the only copy of a given block and there is 
only one copy of each block in the agent population. Some vip agents are able to download blocks 
without any restriction. Agents that request a download and have not shared a block after a previous 
download generate a violation for the download action and a misuse violation for the agent. A misuse 
terminates the empowerment of the agent to download blocks. 



The designer devises the following use case (T, O): 

observed{start. zOO). 

observed{download{alice, bob, x3), iOl) 
observed{download{charlie, bob, x3), i02). 



T = { 



observed(download(bob,aUce,xl),i03). n - ) notviol{myDownload(bob,xl),i03) 



not viol{myDownload{alice, a:3), iOl). 
not viol{my Download{charlie, a:3), i02). 



observed{download{charlie, alice, xl), i04) 
observed{download{alice, charlie, a:5), i05) 
observed{download{alice, bob, xA), i06) 



not viol{myDownload{charlie, xl), i04) . 
not viol{myDownload{alice, x5), i05). 
viol{myDownload{alice, xA) , 206) . 



The use case models a sequence of events that includes a violation at the time point 
i06, while the download events at the other time points do not generate violations. In the 
trace, charlie performs a download at time point i04 without sharing a block after the 
last download. This is not expected to generate a violation since charlie is defined as vip 
{isV IP [charlie) e N). 

The initial normative system includes the domain component and type definitions given 
in Figure [T(b)] and a specific component given by the following revisable theory Nt'- 

ferule 1 

initiated (hasblock(X,B) , I) :- 
occurred ( myDownload(X,B) , I ) . 
%rule 2 
initiated ( perm ( myDownload(X,B) ) , 1 ) : — 

occurred ( my Share (X) , I ) . 
%rule 3 
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terminated (pow( extendedfilesharing , myDownload{X,B) ) , I ) : — 

occurred ( misuse (X) , I ) . 
ferule 4 
terminated { perm (my Download {X,B2) ) , I ) : — 

occurred ( myDownload(X,B) , I ) . 
%rule 5 
occurred (myDownload(X,B) , I ) : — 

occurred ( download(Y, Y,B) ,1) , holdsat ( hasblock (Y,B) , I ) . 
%rule 6 
occurred ( myShare (X) , I ) : — 

occurred ( download(Y,X,B) ,1), holdsat(liasblock(X,B),I). 

Given the use case and the above formalisation of the normative system, the first iteration 
of our approach proposes, through the revision process, the deletion of a condition in rule 
5 and addition of a condition to rule 4 as shown below (leaving the other rules unaltered): 

%rule 4 — revised 

terminated (perm(myDownload(X,B2) ) , I ) ; — 

not isVIP(X), occurred (myDownload(X,B) , I) . 
%rule 5 — revised 
occurred (myDownload(X,B) , I ) : — 

holdsat(hasblock(Y,B) ,1) . 

However, this is not yet the intended formalisation. As an additional debugging facility 
the designer can request the set of violations that are true in the answer sets that cor- 
responds to the revision and notice that unwanted violations are generated at each time 
point. This feedback can be used to refine the use case provided. In fact the use case spec- 
ifies the single specific violations that must not occur but it does not request explicitly that 
no violations should occur in the first five time points (e.g. viol(myDownload(alice,x3),i02), 
viol(myDownload(alice,x4),i02)). These violations can be observed in the answer set associ- 
ated with the revision. The designer can then improve the use case by modifying the set of 
expected outputs: 

Iviol(my D ownload(alice , a;4), i06). 
not viol{myDownload{A, B),T),T\ = i06. 
occurred{misuse{alice) , z06). 
not occurred{misuse{X) , T). T! — z06. 

In the subsequent iteration, the revision process suggests changes that include those iden- 
tified in the previous iteration (i.e. addition of condition in rule 4 and deletion of condition 
in rule 5), and the addition of a further condition in the body of rule 5. The combined effect 
of these changes fixes the original error in the specification, by also changing the name of 
one of the variables. Furthermore, since the output O of the use case includes a desired 
misuse event, which is not currently formalised in the system, the revision also suggests 
the new rule 7 given below. The final theory N!j, includes the following rules (leaving 
untouched rules 1, 2, 3 and 60 

%rule 4 — revised 
terminated (perm(myDownload(X,B2) ) , I ) : — 

not isVIP(X), occurred (myDownload(X,B) , I) . 
%rule 5 — revised 
occurred ( myDownload(X,B) , I ) : — 

occurred ( download (X,Y,B) ,1) , hold.s at ( hasblock (Y,B) .1) . 
%ruie 7 — new 
occurred ( misuse (X) , I ) : — 

occurred ( viol (myDownload(X,B) ) , I ) . 



^ The revision is generated in 23 seconds by ICLINGO <Gebseret al. 2007^ on a 2.8 GHz Intel Core 2 Duo iMac 
with 4 GB of RAM. 
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In summary, after a few iterations rule 4 is corrected by adding an exception not isVIP(X), 
rule 5 is revised by correcting a typographical error in its condition (i.e. the name of a vari- 
able was not the intended one - occurred(download(Y,Y,B),I)), and finally, a new rule is 
learnt that defines misuse coherently with respect to the provided use case. 

5 Theory revision through ASP 

In this section we provide more details about the revision process. We first introduce all the 
computational steps to derive a revision with respect to a set of use cases. Then we delve 
into the details of the learning system, describing the integrated ASP-based ILP approach. 
The revised normative system Nb U Nfp is computed by means of two program transfor- 
mations and an abductive reasoning process executed in ASP, which derives prescriptions 
for revisions and new rules in the form of abducibles. The abductive solution has a one-to- 
one mapping to a revision of the initial theory. 

5.1 Revision 

The approach described in this section can be applied to other problems of TR. To the 
best of our knowledge, our methodology is the only one currently available that is able 
to support revision of non-monotonic AnsProlog theories that supports integrity con- 
straints, aggregates and other ASP constructs, providing revisions as answer sets. Oper- 
ationally, the revision is performed using a similar transformation to the one described 
in ( jCorapi et al. 2009} . Figure [3] details the revision steps for one of the rules in the case 
study described above and Algorithm [T] illustrates the phases. We present the conceptual 
steps and refer the reader to ( [Corapi et al. 2009} for further details. 

Input: Nb fixed theory; Nt £ s{M) revisable theory; P set properties; M mode declarations 
Output: A'^^ revised theory according to the given P 

(iVr, M) = pre-processing(iVT, M); 

H = ASPAL(P, Nb U iVr, M); 

A'^^ = post-processing(A^T, H); 

return A^^; 

Algorithm 1: Phases of the revision algorithm. 

A pre-processing phase lifts the standard ILP process of learning hypotheses about ex- 
amples up to the (meta-)process of learning hypothesis about the rules and their exception 
cases. For every rule in Nt, every body literal c* is replaced by the atom try{i,j,c'A, 
where i is the index of the rule, j is the index of the body literal in the rule and the third 
argument is a reified term for the literal ri. not exception{i, hi,Vi) is added to the body 
of the rule where i is the index of the rule, hi is the reified term for the head of the rule 
and Vi is an optional list of additional variables appearing in the body (see Figure [3]l. The 
try predicate is defined in such a way that whenever del{i,j) is true, the meta-condition 
try{i, j, c* ) is always true. Otherwise try{i, j, c* ) is true whenever c* is true. Facts of the 
type del{i,j) can be learnt by the ILP system used within the revision. M specifies mode 
declaration of rules that can be added together with additional head declarations that are 
added to take into account the newly introduced del and exception predicates. 
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1 - Pre-processing (rules in Nt) 2 - Learning (rule in H) 



terminated ( perm {myDownload(X, B2) ) , I ) : — 

try(4, 1, occurred (myDownload(X,B) , I ) ) , ----f^. "■■ v '^^' " 

not exception (terminated {perm( 
myDownload(X,B2)) ,1) , B) . 



exception ( terminated (perm (myDownload(X, B2 

)),i), 

isVIP(X) . 

3 - Postprocessing (rule in N^) 



try (4, 1, occurred (myDownload (X,B) , I ) ) : — 

not del (4, 1), 

occurred (myDownload(X,B) ,1). terminated ( perm (myDownload(X, B2) ) ,1) :- 

not isVIP(X) , 
try(4, 1, occurred (myDownload(X,B) , I)) :- occurred (myDownload(X,B) , 1 ) . 

del(4, 1). 

Fig. 3. Detailed revision transformations for rule 4 (Section |4|2]l 

In the learning phase, given the pre-processed theory Nt and the new mode declarations 
M, the following ILP task is executed (P, Nb DNt, M), using ASPAL, the learning system 
described in Section |5T2l The outcome of the learning phase H is used in a post-processing 
phase which generates a revised theory N!p semantically equivalent to NtUH. Informally, 
for each del{i,j) fact in H the corresponding condition j in rule i in Nt is deleted. For 
each exception rule in H of the form exception{i, hi,Vi) -s— ci , ..., c„, the corresponding 
rule i in Nt is substituted with n new rules, one for each condition c/j, 1 < fc < n. 
Each of these rules k will have in the head the predicate hi and in the body all conditions 
present in the original rule i in Nt plus the additional condition not c{k). An exception 
with empty body results in the original rule i being deleted. An exception for which at least 
two conditions share variables is kept as an additional "exception concept" in the revised 
theory. The pre-processing and post-processing phases perform syntactic transformations 
that are answer set preserving and do not involve the answer set solver 



5.2 ASPAL 

The system used in this work, called ASPAL (ASP Abductive Learning), though used here 
to support the revision of a normative system, can be applied more generally to non- 
monotonic ILP problems. It is based on the transformation from an ILP task to an abductive 
reasoning task, used in a recently proposed ILP system (Corapi et al. 2010}. 



This system offers several advantages over other existing ILP approaches, making it par- 
ticularly suited for normative design. ASPAL is able to handle negation within the learning 
process, and therefore reason about default assumptions governing inertial fluents; to per- 
form non-observational and multiple predicate learning, thus computing hypotheses about 
causal dependencies between observed sequences of events and normative states; and to 
learn non-monotonic hypotheses, which is also essential for theory revision. Furthermore, 
the learning can be enabled by a simple transformation of the mode declarations and does 
not require the computation of a bridge theory jYamamoto et al. 20101 ). As discussed in 



( Corapi et al. 2010j ), none of the existing ILP systems provides the above mentioned fea- 



tures. Embedding the learning process within ASP reduces the semantic gap between the 
normative system and the learning process and permits an easier control of the whole pro- 
cess. The notion of revision distance as in Definition[3]can be managed by the optimisation 
facilities provided by modern ASP solvers JGebser et al. 200'7b . Optimisation statements 
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can be used to derive answer sets that contain a minimal number of atoms of a certain type 
that ultimately relate to new rules or revisions, as explained in this section. 



As in (Corapi et al. 2010 1, an ILP task (P, B, M) is transformed into an abductive logic 



programming problem jKakas et al. 1992l l. thus enabling the use of AnsProlog. Let us 
introduce some preliminary notation. Given a mode declaration modeh{s) or modeb{s), 
id is a unique identifier for the mode declaration, s is the literal obtained from s by replac- 
ing all placemarkers with different variables Xi, ..., X„; type{s, s) denotes the sequence 
of literals ti{Xi), ..., i„(X„) such that ti is the type of the placemarker replaced by the 
variable Xf, con{s, s) — (Ci, ..., Cc) is the constant list of vaiiahles in s that replace only 
constant placemarkers in s. inp{s, s) — (/i, ..., li) and out{s, s) — (Oi, ..., Oo) are de- 
fined similarly for input and output placemarkers. Since s is clear from the context, in the 
following we omit the second argument from type{s, s), con{s, s), inp{s, s) and out{s, s). 
Given a set of mode declarations M, a top theory T = t{M) is constructed as follows: 

• For each head declaration modeh{s), with unique identifier id, the following rule is in T 

s ■«— 
rule(RId, [id, con(s), ()), 

ruleJd{RId), (10) 

iype(s), 
body{RId, 1, inp{s)) 

• For each body declaration modeb{s), with unique identifier id the following clause is in T 

body{RId,L,I) -h- 
rule{RId, L, {id, con(s), Links)), 
link{inp{s), I, Link), 

s, (11) 

type{s), 

append{I,out{s), O), 
hody{RId,L + l,0) 

• The following rule is in T together with the definitions for the link, ruleSd and append 
predicates: 

body{RId, L, _) •«— rule{RId, L, last) 



ruleJd{rid) is true whenever 1 < rid < rn where rn is the maximum number of new rules 
allowed. link{{ai, ...,am), {bi, ■■■, bn), (oi, ..., Om)) is true if for each element in the first 
list Ui, there exists an element in the second list bj such that Oj unifies with bj and o^ = j. 
Given the top theory, we seek a set of rule atoms A, such that P is true all models of 
-B U T U A. A has a one-to-one mapping to a set of rules H — u(A, Al). Intuitively, each 
abduced atom represents a literal of the rule labelled by the first argument. The second 
argument collects the constant used in the literal and the third disambiguates the variable 
linking. Fig.|4]shows the learning steps for rule 4 of our example. 

For space limitations we only state the main soundness and completeness theorem 



( Corapi and Russo 201 1 1 of the learning system. 
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Inputs 

Mode declarations M 

exception ( terminated (perm (my Download 
(+ agent ,+ block:)) ,+ instant) , +block) . 



Properties P 



viol (myDownload( alice , x4) , i06 ) . 

not viol (myDownload(A,B) ,T) , T!= i06 . 

occurred (misuse( alice ) , i06) . 

not occurred (misuse(X) , T) , T!= i06 . 



Background theory B 

terminated ( perm (myDownload(X, B2) ) , I ) : — 
try(4, 1, occur red( myDownload(X,B) , 1 ) ) , 
not exception (terminated (perm( 
myDownload(X,B2)) ,1) , B) . 

try (4, 1, occurred (my Download (X,B),I)) : — 
not del (4 , 1) , 
occurred (myDownload(X,B) , I ) . 

try(4, 1, occurred (my Download (X,B),I)) : — 
del(4, 1). 



Top theory T 

exception (4, terminated ( perm ( my Download (A 
,B)),T)) :- 
instant(T), block(B), agent(A), 
rule. id (RID) , 

i-ule(RID, 0, (e4, () , () )) , 
body(RID, 1 , (A, B, T)) . 

body(RID, Level, (A, B, T)) :- 
agent(A), block(B), instant(T), 
rule.id(RID) , 
link(Ll, (A, B, T) , LRl) , 
i-ule(RID, Level, (isv, (), (LRl))), 
isVIP(LI) , 
body(L + 1, RID, (A, B, T) ) . 

body(RID, L, .):- 
rule (RID, L, last ) . 

Abductive solution A 

rule(0, 0, (e4, () , ())), 
rule(0, 1, (isv , () , (1))), 
rule(0, 2, last) 

Output 

Inductive solution H 

exception (terminated ( perm (myDownload 
(X,B2)),I), B) :- 
isVIP(X) . 



Fig. 4. Learning steps for rule 4 (Sec. l4.2l l. We show only the relevant mode declarations 
and rules. 

Theorem 1 

Given an ILP task (P, B, M), H is an inductive solution if and only if there is a A such 

that H = u(A, M), T = t{M) and P is true in all the answer sets of B U T U A. 

The ASP solver is used to compute a set of solutions A, that can be translated back into 
a set of inductive solution. Soundness and completeness for the revision procedure rely 
on Theorem[T]and on the underlying ASP solver properties. These properties also ensure 
that if a set of theories that matches the requirements exists within the language bias of 
the learning, in the limit, if a complete set of all use cases (an extensional specification 
of the requirements) is provided, the revision converges to the expected theory. This is 
of course an ideal case. In practice the system outputs more accurate solutions as more 
comprehensive use case sets are provided. 



6 Discussion and Related Work 

The motivation behind this paper is the problem of how to converge upon a complete 
and correct normative system with respect to the intended range of application, where in 
practice these properties may be manifested by incorrect or unexpected behaviour in use. 
Additionally, we observe, from practical experience with our particular framework, that it 
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is often desirable to be able to develop and test incrementally and regressively rather than 
attempt verification once the system is (notionally) complete. 

The literature seems to fall broadly into three categories: (a) concrete language 
frameworks (OMASE (Gai-cia-Ojeda et al . 2007) 1, Operetta ( [Okouya and Dignum 2008[ ), 



InstAL (ICUffe et al. 2006J . MOISE (.Hubner et al. 2007l l. Islander ffisteva et al. 2002t . 
OCeAN jFornara et al. 2008]) and the constraint approach of Garcia-Camino et al. 
dOarcia-Camino et al. 2009l l) for the specification of normative systems, that are typ- 
ically supported by some form of model-checking, and in some cases allow for 
change in the normative structure; (b) logical formalisms, such as JGarion et al. 2009"]) . 
that capture consistency and completeness via modalities and other formalisms like 
jBoella et al. 2009a]) . that capture the concept of norm change, or JVasconcelos et al. 20071 ) 
and JCardoso and Oliveira 2008T ): (c) mechanisms that look out for (new) conven- 
tions and handle their assimilation into the normative framework over time and sub- 
ject to the current normative state and the position of other agents (lArtikis 20091 
IChristelis and Rovatsos 2009 1. Essentially, the objective of each of the above is to real- 
ize a transformation of the normative framework to accommodate some form of short- 
coming. These shortcomings can be identified in several ways: (a) by observing that a 
particular state is rarely achieved, which can indicate there is insufficient normative guid- 
ance for participants, or (b) a norm conflict occurs, such that an agent is unable to act 



consistently under the governing norms ( KoUingbaum et alT} , or (c) a particular violation 



occurs frequently, which may indicate that the violation conflicts with an effective course 
of action that agents prefer to take, the penalty notwithstanding. All of these can be viewed 
as characterising emergent ( Savarimuthu and Cranefield 2009 j approaches to the evolution 
of normative frameworks, where some mechanism, either in the framework, or in the en- 
vironment, is used to revise the norms. In the approach taken here, the designer presents 
use cases that effectively capture the behavioural requirements for the system, in order to 
'fix' bad states. This has an interesting parallel with the scheme put forward by Serrano and 



Saugar ( Serrano and Saugar 2010 1, where they propose the specification of incomplete the- 
ories and their management through incomplete normative states identified as "pending". 

In JBoella et al. 2009bJ . whether the norms here are 'strong' or 'weak' — the first guideline — 
depends on whether the purpose of the normative model is to develop the system specifica- 
tion or additionally to provide an explicit representation for run-time reference. Likewise, 
in respect of the remaining guidelines, it all depends on how the framework is actually 
used: we have chosen, for the purpose of this presentation, to stage norm refinement so 
that it is an off-hne (in the sense of prior to deployment) process, while much of the dis- 
cussion in (IBoella et al. 2009b] ) addresses run-time issues. Whether the process we have 
outlined here could effectively be a means for on-line mechanism design, is something 
we have yet to explore. Within the context of software engineering, ( [Alrajeh et al. 2007| 
shows how examples of desirable and undesirable behaviour of a software system can be 
used by an ILP system, together with an incomplete background knowledge of the envi- 
sioned system and its environment, to compute missing requirements specifications. There 
are several elements in common with the scheme proposed here. 

From an ILP perspective, we employ a system that can learn logic programs with nega- 
tion (stratified or otherwise) and, unlike other existing nonmonotonic ILP systems (;Sakama2001bl ) 
is supported by completeness results, is integrated into ASP and can be tailored to partic- 
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ular design requirements. Some properties and results of ILP in the context of ASP are 
shown in (ISakama2001al l. The author also proposes an algorithm for learning that is sound 
but not complete and, differently from the approach proposed here, employs a covering 
loop approach. 



7 Conclusions and Future Work 

The motivation for this work stems from a real need for tool support in the design of 
normative frameworks, because, although high-level, it is nevertheless hard for humans 
to identify errors in specifications, or indeed to propose the most appropriate corrective 
actions. We have described a methodology for the revision of normative frameworks and 
how to use tools with formal underpinnings to support the process. Specifically, we are 
able to revise a formal model — represented as a logic program — that captures the rules of 
a normative system. The revision is achieved by means of inductive logic programming, 
working with the same representation, informed by use cases that describe instances of 
expected behaviour of the normative system. If actual behaviour does not coincide with 
expected, theory revision proposes new rules, or modifications of existing rules, for the 
normative framework. Furthermore, given correct traces, the learning process guarantees 
convergence — the property of "learning in the limit". 

From this firm foundation, which properly connects a theory of normative systems with 
a practical representation, there are three directions that we aim to pursue: (i) definition of 
criteria for selecting solutions from alternative suggestions provided by the learning (we 
are currently investigating the use of crucial literals JSattar and Goebel 199 1^) (ii) intro- 
duction of levels of confidence in the use cases and their use for selecting the "most likely" 
revision, in addition to the general criteria of minimal revision: i.e. combine some domain- 
independent heuristics with some domain-specific heuristics such as level of confidence 
in use cases (iii) extension to interactions between normative frameworks and a form of 
cooperative revision. Additionally, there is the matter of scalability. The computation time 
increases with the number of rules, time steps, errors in the theory and in particular, mode 
declarations and language bias for the learning. That is, it grows with the state space of 
the normative framework and the "learning space", i.e. is all possible theories we can con- 
struct given our language bias. We need to experiment further to understand better to which 
factors performance is sensitive and how to address these issues. 
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